The social networking company also warned that the high cost of compliance with multiple national laws, rather than with an overarching EU regime, could cause it to introduce new features more slowly or not at all.
This fragmentation of regulatory action, though, can be bad for the EU, according to Facebook. “Facebook’s costs would increase, and people in Europe would notice new features arriving more slowly, or not at all. The biggest victims would be smaller European companies. The next big thing might never see the light of day,” Richard Allan, Facebook’s vice president of public policy in Europe, wrote in an opinion column in The Financial Times.
The way things are going, Facebook and other companies will have to comply with 28 national variants of EU law, posing serious obstacles, he said.
The European common market was created to avoid such a splintered system, Allen wrote in his column. If the same sort of fragmented enforcement approach that Facebook is now dealing with is applied to businesses in other industries, Allen wrote, “complying with EU law will no longer be enough; businesses will instead have to comply with 28 independently shifting national variants. They would have to predict the enforcement agenda in each country.”
Facebook argued that it should only be subject to scrutiny by the Irish data protection authority (DPA), since it established its European headquarters in Ireland five years ago.
“Initially, when the authorities in other countries had concerns about our services, they worked with the Irish regulator to resolve them. This is how European regulation is supposed to work: if a business meets regulations implemented in its home country, it can operate across the EU,” said Allan.
As part of its push against the authorities, Facebook recently filed a lawsuit against the Dutch DPA because it does not agree with the investigation, a spokeswoman for the authority said. She declined to give further details on the case, as it is ongoing. The suit is scheduled to be heard by the District Court of the Hague on May 20, a court spokesman said, declining to comment on the contents of the case.
Facebook did not immediately respond to a request for comment.
The national privacy authorities disagree with Facebook and say they do have authority over the company’s privacy practices. “It is quite simple, we have authority because Facebook processes data from Belgians,” said a spokeswoman for the Belgian Privacy Commission.
Belgian authorities are meeting with Facebook on Wednesday to talk about a report that they commissioned, which found that Facebook violates EU law by tracking visitors. Facebook says the report contains factual inaccuracies. A discussion about jurisdiction is also planned, the spokeswoman for Belgian DPA said.
The German DPA in Hamburg did not immediately respond to a request for comment.
Meanwhile, Jacob Kohnstamm, the chairman of the Dutch DPA, told Dutch newspaper Trouw on Wednesday that Silicon Valley companies are less impressed by a legal letter from Dutch data protection authorities than Dutch organizations might be. It is therefore important that the EU’s planned new privacy laws should be approved soon to give privacy authorities the opportunity to stand together against big U.S. companies, he said.
However, there is debate among EU lawmakers about how to approach data privacy enforcement. The European Commission approved a plan for a “one-stop-shop” mechanism that would make it easier for businesses and citizens to deal with privacy-related complaints. However, that proposal was later weakened by the Council of the EU, which added unnecessary bureaucratic steps, thus weakening the plan, privacy groups have warned.
EU institutions hope to come up with a definitive proposal for data protection reform by the end of the year.